BILL ANALYSIS                                                                                                                                                                                                    Ó

                                                                  AB 1755
                                                                  Page  1

          AB 1755 (Gomez)
          As Amended March 28, 2014
          Majority vote 

           HEALTH              19-0                                        
          |Ayes:|Pan, Maienschein,         |     |                          |
          |     |Ammiano, Gordon, Bonilla, |     |                          |
          |     |Bonta, Chávez, Chesbro,   |     |                          |
          |     |Gomez, Gonzalez,          |     |                          |
          |     |Roger Hernández,          |     |                          |
          |     |Lowenthal, Waldron,       |     |                          |
          |     |Nazarian, Nestande,       |     |                          |
          |     |Patterson, Ridley-Thomas, |     |                          |
          |     |Wagner, Wieckowski        |     |                          |
          |     |                          |     |                          |
           SUMMARY  :  Changes the requirements for specified health  
          facilities, regarding the protection of patients' medical  
          information, from preventing unlawful or unauthorized access to,  
          and use or disclosure of, medical information, to a requirement  
          that these health facilities must prevent breaches of patients'  
          medical information.  Changes the interval for the required  
          reporting of an incident involving a breach of patient  
          information to the Department of Public Health (DPH) and the  
          patient from five business days to requiring reporting without  
          unreasonable delay and no later than 60 calendar days after the  
          breach, as specified.

           FISCAL EFFECT  :  None
          COMMENTS  :  According to the author, this bill will improve  
          California's notice requirement specific to breaches of medical  
          information by moving it closer to federal law and removing an  
          extra administrative layer that requires health facilities  
          covered by state and federal laws to analyze all potential  
          breaches under both schemes related to notification requirements  
          and take different action depending on the circumstances of the  
          potential breach.  The bill adopts the Health Information  
          Technology for Economic and Clinical Health Act standard, which  
          was adopted in regulation January 2013 after extensive public  
          comment and negotiation.  The author states the bill clarifies  


                                                                  AB 1755
                                                                  Page  2

          what must be reported, changes the timing of the notification to  
          "as soon as reasonably possible but no later than 60 calendar  
          days after discovery of the breach," and given the sensitivity  
          of medical information, ensures that patients have the option of  
          designating an alternate address where notice may be sent or  
           The author argues the existing state scheme specific to medical  
          information, on the other hand applies to the "unlawful or  
          unauthorized" access to, or use or disclosure of a patient's  
          medical information, requiring notification within five business  
          days without allowing for any consideration of risk or harm to  
          the patient.  The author explains that because California law  
          does not allow for a risk assessment, health facilities must  
          send a notification even in the event of a minor breach that may  
          unnecessarily alarm a patient.  According to the author, this  
          excessive notification requirement takes significant  
          administrative resources and with the short five business day  
          timeline in California law, is nearly unworkable.  The author  
          concludes, by strictly specifying how patients must be notified  
          of these breaches, California's law does not provide adequate  
          security for patients, such as minors, who live at home but who  
          have exercised their constitutional right to keep their health  
          issues confidential.

          The federal requirements require covered entities to provide  
          notification following a breach of unsecured protected health  
          information.  In addition, it provides a 60 calendar day  
          timeline and allows for a risk assessment prior to notification,  
          ensuring that patients are made aware when there has been a  
          breach of their information and should take seriously the  
          notification in order to respond appropriately.  

          According to the sponsors, Planned Parenthood Affiliates of  
          California and the California Medical Association, there are  
          significant differences between the two main schemes related to  
          notification requirements under state and federal law.  The  
          sponsors state that each of the two main schemes have different  
          timelines and method requirements for notification, a different  
          standard for what types of data is covered and a different  
          standard for what qualifies as a breach and must be reported.   
          The co-sponsors argue this bill ensures patients are adequately  
          alerted to serious medical information breaches and streamlines  
          requirements on health facilities saving healthcare costs and  


                                                                  AB 1755
                                                                  Page  3

          allowing healthcare providers to put those resources back into  
          patient care.  The California Hospital Association supports the  
          bill because it would address the problems that state and  
          federal law are inconsistent and simplify administrative  
          requirements for health facilities.  Other supporters argue that  
          better aligning of state law with the updated and thoroughly  
          vetted federal regulations will reduce the administrative burden  
          on health facilities and free up resources for patient care.

          The Electronic Frontier Foundation (EFF) opposes this bill  
          because it will weaken existing data breach reporting  
          requirements by greatly delaying reporting, from the current  
          five business days to 60 calendar days after detection.  EFF is  
          also concerned with the new standard using the definition of  
          breach which excludes certain disclosures that must be reported  
          in existing law but would not be in this bill.  The American  
          Civil Liberties Union (ACLU) opposes the bill unless it is  
          amended to address the current bill's weakening of breach  
          reporting and notification standards.  The ACLU is particularly  
          concerned that this bill significantly lengthens the time  
          allowed before reporting to a patient or DPH must occur.

           Analysis Prepared by  :    Roger Dunstan / HEALTH / (916) 319-2097  

                                                                FN: 0003361